{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR003", "name": "Compose service `languagetool` image uses the latest tag", "shortDescription": {"text": "Compose service `languagetool` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Variable-selected base images can be safe, but Repobility cannot verify that the resolved image is pinned."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.", "shortDescription": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.", "shortDescription": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ANTHROPIC_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1287"}, "properties": {"repository": "meyayl/docker-languagetool", "repoUrl": "https://github.com/meyayl/docker-languagetool", "branch": "main"}, "results": [{"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `languagetool` image uses the latest tag"}, "properties": {"repobilityId": 130727, "scanner": "repobility-docker", "fingerprint": "8d35d7e422e29a6f9ef7507d866c203971bc42754cb47492f08413a2a556989b", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "meyay/languagetool:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8d35d7e422e29a6f9ef7507d866c203971bc42754cb47492f08413a2a556989b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 130726, "scanner": "repobility-docker", "fingerprint": "e3328bc64c889ff7fe64631f37a644582be73e888b54bd14608903a4205472ed", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "java_base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e3328bc64c889ff7fe64631f37a644582be73e888b54bd14608903a4205472ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.fasttext"}, "region": {"startLine": 195}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 130723, "scanner": "repobility-docker", "fingerprint": "d0a694356ef4effb213e72f005e4f76feede799af173a8be73478201e3eebb1e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "java_base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d0a694356ef4effb213e72f005e4f76feede799af173a8be73478201e3eebb1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 172}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 130729, "scanner": "repobility-docker", "fingerprint": "b475622bc6c7ce56787d76ba73adf53e45403f7a8f2512d3760503f86cb3db5f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "languagetool", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b475622bc6c7ce56787d76ba73adf53e45403f7a8f2512d3760503f86cb3db5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 130728, "scanner": "repobility-docker", "fingerprint": "97dfa280054fe91053c0b8faca2031f5a1f0c150e6a81ab204ad66cc0a0e6cca", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "languagetool", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|97dfa280054fe91053c0b8faca2031f5a1f0c150e6a81ab204ad66cc0a0e6cca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 130724, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 130725, "scanner": "repobility-docker", "fingerprint": "afc2b61702025ee53a994c273431f88bca38357183f9cf3a4fe057162be14e60", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "golang:${GO_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|afc2b61702025ee53a994c273431f88bca38357183f9cf3a4fe057162be14e60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.fasttext"}, "region": {"startLine": 186}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 130722, "scanner": "repobility-docker", "fingerprint": "c1431a7694ad9f1a8e9675215c71a403898d7ea995445fd88a8bef693313bbe4", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "golang:${GO_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|c1431a7694ad9f1a8e9675215c71a403898d7ea995445fd88a8bef693313bbe4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 130721, "scanner": "repobility-threat-engine", "fingerprint": "608d3d22d91f3c7885c39458609d110befa29e90f4299da05ff602c4fedbccbc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|608d3d22d91f3c7885c39458609d110befa29e90f4299da05ff602c4fedbccbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "entrypoint/internal/download/download.go"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 130720, "scanner": "repobility-threat-engine", "fingerprint": "5452f8972ba219e11de3981ad48b4881b755da2c1e2e4471b0d210f5366f3662", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5452f8972ba219e11de3981ad48b4881b755da2c1e2e4471b0d210f5366f3662"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "entrypoint/internal/download/download.go"}, "region": {"startLine": 290}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 130719, "scanner": "repobility-threat-engine", "fingerprint": "2a6456fcb715169602c5f51f42c8fc7f67a304815e6c338bca0ee737ec5042d2", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Get(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2a6456fcb715169602c5f51f42c8fc7f67a304815e6c338bca0ee737ec5042d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "entrypoint/internal/download/download.go"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 130718, "scanner": "repobility-supply-chain", "fingerprint": "6ff2197d2010ca947864a9dc9333cbec96fd20a6c9772591e282c04846dfb57e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ff2197d2010ca947864a9dc9333cbec96fd20a6c9772591e282c04846dfb57e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yaml"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 130717, "scanner": "repobility-supply-chain", "fingerprint": "81467e4e2835722ec851175306dec7d802d4c48b760c4e9faaa2c48e0dadbc4d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|81467e4e2835722ec851175306dec7d802d4c48b760c4e9faaa2c48e0dadbc4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yaml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 130716, "scanner": "repobility-supply-chain", "fingerprint": "939d451d8dac22789a5ce588fa0eba6ac4fc8dce9401833e0801874f3a799f90", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|939d451d8dac22789a5ce588fa0eba6ac4fc8dce9401833e0801874f3a799f90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pipeline.yaml"}, "region": {"startLine": 449}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 130715, "scanner": "repobility-supply-chain", "fingerprint": "c73eb194aa80df5ddfcf7ee1b4316f5dc5b130d69483b5a70316387af9907973", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c73eb194aa80df5ddfcf7ee1b4316f5dc5b130d69483b5a70316387af9907973"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pipeline.yaml"}, "region": {"startLine": 417}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger"}, "properties": {"repobilityId": 130714, "scanner": "repobility-supply-chain", "fingerprint": "fb155811483a9a50e3bab193e9136d887a74758f93e8fa6dda314e936c1bcc6c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fb155811483a9a50e3bab193e9136d887a74758f93e8fa6dda314e936c1bcc6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pipeline.yaml"}, "region": {"startLine": 416}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 130713, "scanner": "repobility-supply-chain", "fingerprint": "695dbf400c379eb9c0f127b0a1802b0334119036e89493b8dcab7221f3c1c1e0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|695dbf400c379eb9c0f127b0a1802b0334119036e89493b8dcab7221f3c1c1e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pipeline.yaml"}, "region": {"startLine": 387}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger"}, "properties": {"repobilityId": 130712, "scanner": "repobility-supply-chain", "fingerprint": "f7afdd6a0f7ba547d67f5b81bd85fedc79e325dd09b5cdef9ca0e234ae10d6d9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f7afdd6a0f7ba547d67f5b81bd85fedc79e325dd09b5cdef9ca0e234ae10d6d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pipeline.yaml"}, "region": {"startLine": 386}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 130711, "scanner": "repobility-supply-chain", "fingerprint": "fbecce5a30694235b867b15ff3dfef5793966fac5d8c1814a31e8ff23dcd6041", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fbecce5a30694235b867b15ff3dfef5793966fac5d8c1814a31e8ff23dcd6041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pipeline.yaml"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger"}, "properties": {"repobilityId": 130710, "scanner": "repobility-supply-chain", "fingerprint": "cff5443be0656e268dcdf78cdf2b4647561d8c4a0be6deb4dd431a9a3cebd488", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cff5443be0656e268dcdf78cdf2b4647561d8c4a0be6deb4dd431a9a3cebd488"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pipeline.yaml"}, "region": {"startLine": 132}}}]}]}]}